The AWS Certified DevOps Engineer – Professional (DOP-C02) is one of the most respected — and most demanding — certifications AWS offers. It sits at the intersection of software delivery, infrastructure automation, and production operations, and it expects you to think like an engineer who actually runs systems at scale, not someone who memorized service names.
If you can design a deployment pipeline, automate recovery from failure, enforce governance across dozens of accounts, and explain why you’d reach for CodeDeploy blue/green over a rolling update, this exam is winnable. This guide breaks down everything you need: the six domains, the services that dominate the question pool, the patterns that show up again and again, and a realistic study plan to get you certification-ready.
What the DOP-C02 Exam Actually Tests
DOP-C02 is a professional-level exam. That distinction matters. Associate exams ask “what does this service do?” The professional exam asks “given these constraints, which combination of services produces the most automated, resilient, and cost-aware outcome?”
Here are the exam logistics at a glance:
| Attribute | Detail |
|---|---|
| Exam code | DOP-C02 |
| Questions | 75 (65 scored, 10 unscored) |
| Duration | 180 minutes |
| Question format | Multiple choice & multiple response |
| Passing score | 750 / 1000 (scaled) |
| Cost | 300 USD |
| Recommended experience | 2+ years provisioning and operating AWS environments |
There are no hands-on lab tasks — every question is scenario-based multiple choice or multiple response. But don’t let that fool you into thinking it’s theoretical. The scenarios are long, detailed, and full of distractors. Two answers will be technically correct; only one will be correct for the constraints stated. Reading carefully is half the battle.
The Six Exam Domains
AWS weights the DOP-C02 across six domains. Knowing the weighting tells you where to invest your study time.
| Domain | Title | Weight |
|---|---|---|
| 1 | SDLC Automation | 22% |
| 2 | Configuration Management & IaC | 17% |
| 3 | Resilient Cloud Solutions | 15% |
| 4 | Monitoring & Logging | 15% |
| 5 | Incident & Event Response | 14% |
| 6 | Security & Compliance | 17% |
Domain 1 (SDLC Automation) is the single largest slice, and Domains 1, 2, and 6 together make up well over half the exam. Master CI/CD pipelines, infrastructure as code, and security automation, and you’ve covered the majority of the scored content.
Domain 1: SDLC Automation (22%)
This is the heart of the exam. You need to design, build, and troubleshoot continuous integration and continuous delivery pipelines using AWS-native tooling.
The Core Pipeline Services
- CodePipeline — orchestrates the stages (source → build → test → deploy). Think of it as the conductor.
- CodeBuild — runs your builds and tests in managed, ephemeral containers driven by a
buildspec.yml. - CodeDeploy — handles the actual deployment to EC2, on-premises servers, Lambda, and ECS.
- CodeArtifact and Amazon ECR — store build artifacts and container images.
You’ll be expected to know deployment strategies cold. Here’s the cheat sheet the exam rewards:
| Strategy | What happens | Best when |
|---|---|---|
| In-place / rolling | Instances updated in batches | You can tolerate brief mixed-version state |
| Blue/green | New fleet stood up, traffic shifted, old torn down | You need instant rollback, zero downtime |
| Canary (Lambda/ECS) | Small % of traffic shifted, then the rest | You want to validate on real traffic first |
| Linear | Equal traffic increments on a fixed interval | Gradual, predictable rollout |
A classic DOP-C02 question gives you a “must roll back instantly with zero downtime” requirement — the answer is almost always blue/green via CodeDeploy. A “validate on 10% of production traffic before full rollout” requirement points to a canary deployment.
A Minimal buildspec.yml
CodeBuild is driven by a buildspec.yml. You should be able to read one fluently:
version: 0.2
phases:
install:
runtime-versions:
nodejs: 20
pre_build:
commands:
- echo Logging in to Amazon ECR...
- aws ecr get-login-password | docker login --username AWS --password-stdin $ECR_URI
build:
commands:
- docker build -t $ECR_URI:$CODEBUILD_RESOLVED_SOURCE_VERSION .
post_build:
commands:
- docker push $ECR_URI:$CODEBUILD_RESOLVED_SOURCE_VERSION
artifacts:
files:
- imagedefinitions.jsonKnow the four phases (install, pre_build, build, post_build), how artifacts flow to the next stage, and how environment variables and Parameter Store / Secrets Manager values get injected.
Domain 2: Configuration Management & Infrastructure as Code (17%)
If Domain 1 is about shipping code, Domain 2 is about shipping infrastructure. The exam strongly favors AWS CloudFormation as the IaC engine, with supporting roles for the CDK, Systems Manager, and OpsWorks (legacy, lightly tested).
CloudFormation Patterns That Show Up
- Nested stacks for reusable components and to stay under resource limits.
- StackSets to deploy the same template across multiple accounts and Regions — a frequent multi-account answer.
- Change sets to preview modifications before they execute.
- Drift detection to find resources changed outside of CloudFormation.
- Deletion policies (
Retain,Snapshot) to protect stateful resources.
A common scenario: “deploy a standardized baseline to 50 accounts in an organization.” The intended answer pairs CloudFormation StackSets with AWS Organizations, not 50 manual deployments.
Systems Manager for Configuration
AWS Systems Manager (SSM) is everywhere on this exam:
- Parameter Store — configuration and secrets (with KMS encryption for
SecureString). - State Manager & Automation runbooks — enforce and remediate configuration drift on instances.
- Patch Manager — automated, compliant patching across fleets.
- Session Manager — shell access without SSH, bastion hosts, or open inbound ports.
When a question says “no inbound ports, no SSH keys, full audit trail,” the answer is Session Manager.
Domain 3: Resilient Cloud Solutions (15%)
This domain is about high availability, fault tolerance, and disaster recovery. You’ll need to match a recovery requirement to the right DR strategy:
| DR Strategy | RTO/RPO | Cost |
|---|---|---|
| Backup & Restore | Hours | Lowest |
| Pilot Light | Tens of minutes | Low |
| Warm Standby | Minutes | Medium |
| Multi-Site Active/Active | Near-zero | Highest |
Tie this to services: Auto Scaling groups across multiple Availability Zones, Route 53 health checks and failover routing, RDS Multi-AZ vs. read replicas (Multi-AZ is for availability, read replicas are for scale and cross-Region DR), and DynamoDB global tables for active-active data.
Expect questions that force you to distinguish availability (surviving an AZ failure) from durability (not losing data) from scalability (handling more load). They’re different problems with different answers.
Domain 4: Monitoring & Logging (15%)
You can’t operate what you can’t see. Amazon CloudWatch is the centerpiece:
- CloudWatch Logs — centralized log aggregation; use subscription filters to stream to Lambda, Kinesis, or OpenSearch in real time.
- Metrics & alarms — including custom metrics and metric filters that turn log patterns into numbers you can alarm on.
- CloudWatch Agent — for memory and disk metrics EC2 doesn’t emit by default.
- EventBridge — the event bus that ties detection to automated response.
Layer in AWS X-Ray for distributed tracing and CloudTrail for the API audit trail. A frequent pattern: “detect a specific error pattern in application logs and trigger remediation” → metric filter on a log group → CloudWatch alarm → EventBridge / SNS → Lambda.
Domain 5: Incident & Event Response (14%)
This domain rewards event-driven automation. The mental model AWS wants is: something happens → an event fires → automation responds — no human in the loop.
The plumbing:
- EventBridge rules match events (state changes, scheduled cron, third-party SaaS) and route them to targets.
- Lambda runs the remediation logic.
- Systems Manager Automation runs predefined runbooks for common fixes.
- SNS / SQS handle fan-out notification and decoupling.
- AWS Config with remediation actions auto-corrects non-compliant resources.
Example: “automatically remediate an S3 bucket that becomes public.” The answer chains AWS Config rule (s3-bucket-public-read-prohibited) → automatic remediation via an SSM Automation document. Know that Config detects and can remediate, while EventBridge + Lambda is the more flexible custom path.
Domain 6: Security & Compliance (17%)
The second-largest domain. DevOps and security are inseparable here — “DevSecOps” is the whole point.
Key services and patterns:
- IAM roles, policies, permission boundaries, and the difference between identity-based and resource-based policies.
- Secrets Manager (automatic rotation) vs. Parameter Store SecureString (cheaper, no native rotation).
- AWS Config for continuous compliance and configuration history.
- GuardDuty (threat detection), Security Hub (aggregated findings), Inspector (vulnerability scanning), and Macie (sensitive data discovery).
- KMS for encryption key management and key policies.
A recurring theme: embedding security into the pipeline. Think image scanning in ECR, static analysis in CodeBuild, and signing artifacts before deployment. When a scenario asks how to “rotate database credentials automatically every 30 days,” the answer is Secrets Manager rotation, not Parameter Store.
How the Domains Connect: A Reference Architecture
The exam loves end-to-end scenarios. A canonical fully-automated pipeline looks like this:
Developer push (CodeCommit/GitHub)
│
CodePipeline (orchestration)
│
CodeBuild ── unit tests, image scan, buildspec.yml
│
Artifact to ECR / S3
│
CodeDeploy ── blue/green to ECS
│
CloudWatch alarms + X-Ray traces
│
EventBridge ── on alarm ── Lambda rollback / SSM runbookIf you can draw this from memory and explain what you’d swap for a stricter RTO, a multi-account org, or a compliance mandate, you’re thinking at the professional level the exam demands.
A Realistic 6-to-8 Week Study Plan
This is a professional exam — most successful candidates spend 6 to 10 weeks. Here’s a structure that works for someone already comfortable at the associate level.
| Week | Focus |
|---|---|
| 1–2 | SDLC Automation: CodePipeline, CodeBuild, CodeDeploy. Build a real pipeline. |
| 3 | IaC: CloudFormation deep dive, StackSets, SSM. |
| 4 | Resilient solutions & DR strategies; multi-AZ/Region patterns. |
| 5 | Monitoring & logging: CloudWatch, EventBridge, X-Ray. |
| 6 | Incident response automation & Security/Compliance. |
| 7–8 | Full-length timed mock exams, review weak domains, repeat. |
The single highest-leverage activity in weeks 7–8 is timed, full-length mock exams. They train three things the reading alone can’t: pacing across 75 long questions in 180 minutes, spotting distractors, and managing exam fatigue.
This is exactly where realistic practice matters. The AWS Certified DevOps Engineer – Professional (DOP-C02) Mock Exam Bundle on Sailor.sh gives you full-length, exam-weighted mock exams with detailed explanations for every answer — so you don’t just learn that an answer is wrong, you learn why, which is the skill the real exam tests. Use them to find your weak domains, then loop back to the study material until your scores stabilize above passing.
Exam-Day Strategy
A few tactics that consistently help on DOP-C02:
- Read the last sentence of the question first. It usually contains the actual ask (“most cost-effective,” “least operational overhead,” “fastest rollback”). The qualifier decides the answer.
- Eliminate aggressively. Two options are usually obviously wrong. Of the remaining two, pick the one that better matches the stated constraint.
- Watch for “least operational overhead.” This phrase almost always favors managed, serverless, or fully-automated options over self-managed ones.
- Flag and move on. With ~2.4 minutes per question, don’t burn 8 minutes on one. Flag it, bank the easy points, return later.
- Multiple-response questions tell you how many to pick. Pick exactly that many — no partial credit.
Common Mistakes to Avoid
- Confusing CodeDeploy deployment types across compute targets. EC2/on-prem, Lambda, and ECS each support different strategies. Don’t assume blue/green works identically everywhere.
- Mixing up Multi-AZ and read replicas for RDS. Multi-AZ = availability/failover. Read replicas = read scaling and cross-Region DR.
- Reaching for Lambda when an SSM Automation runbook is the intended low-code answer. The exam often prefers the managed runbook.
- Forgetting that Parameter Store doesn’t natively rotate secrets. Rotation = Secrets Manager.
For broader AWS context, it helps to be solid on the underlying building blocks first. If any associate-level foundations feel shaky, our AWS Solutions Architect Associate guide and AWS Security Specialty exam guide cover the networking, IAM, and security patterns the professional exam builds on. If you’re automating infrastructure with non-AWS tooling, the Terraform Associate exam guide pairs naturally with the IaC domain.
Frequently Asked Questions
How hard is the DOP-C02 compared to the associate exams?
Significantly harder. The questions are longer, the scenarios more nuanced, and the distractors more convincing. Most candidates report it as one of the toughest AWS exams alongside the Solutions Architect Professional. Solid associate-level experience plus real hands-on automation work is the realistic prerequisite.
Do I need the SysOps or Developer Associate before taking DOP-C02?
AWS removed the formal prerequisite years ago, so you can sit DOP-C02 directly. That said, the knowledge from the Developer and SysOps Associate tracks maps almost perfectly onto this exam. If you’ve done that work — formally certified or not — you’ll be far better prepared.
How much hands-on experience do I really need?
AWS recommends two or more years of provisioning, operating, and managing AWS environments. The exam genuinely reflects that. If you’ve built CI/CD pipelines, written CloudFormation, and responded to production incidents, the scenarios will feel familiar rather than abstract.
Are there hands-on labs on the exam?
No. DOP-C02 is entirely multiple choice and multiple response. But the scenarios are written by people who expect you to have done the hands-on work, so practical experience still pays off directly.
How long is the certification valid?
AWS certifications are valid for three years. You can recertify by passing the current version of the exam (or a higher-level one) before it expires.
What’s the fastest way to know if I’m ready?
Score consistently above the passing mark on full-length, exam-weighted mock exams under real time pressure. One good score can be luck; three in a row across different question sets is a reliable signal you’re ready to book the real thing.
Final Thoughts
The DOP-C02 isn’t a memorization exam — it’s a judgment exam. It rewards engineers who understand why one automation pattern beats another under a specific set of constraints. Build real pipelines, write real CloudFormation, automate real remediations, and the scenarios stop feeling like trick questions and start feeling like Tuesday at work.
Anchor your preparation in the six domains, weight your time toward SDLC automation, IaC, and security, and validate your readiness with realistic, timed DOP-C02 mock exams before you book. Do that, and walking in with confidence becomes the easy part.